技能详情(站内镜像,无评论)
作者:Alireza Rezvani @alirezarezvani
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v2.1.1
统计:⭐ 0 · 488 · 2 current installs · 2 all-time installs
⭐ 0
安装量(当前) 2
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:alirezarezvani/tech-debt-tracker
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's purpose (scan/prioritize/track tech debt) matches the included tools, but the bundle contains multiple hard-coded secrets and sample code that makes network calls — these elements are unexpected for an instruction-only scanner and deserve review before running on real code or granting it CI integration.
目的
The name/description describe a code-scanning + prioritization + dashboard tool, and the repository contains scanner, prioritizer, and dashboard scripts that align with that purpose. However, the assets include sample application code (payment_processor.py, user_service.py, frontend.js) containing hard-coded API keys, database URLs, and calls to external payment APIs. Those sample files may be intended as inputs for the scanner, but they are n…
说明范围
SKILL.md and README instruct the agent/operator to run local Python scripts (e.g., python scripts/debt_scanner.py /path/to/codebase) and to integrate scanning into CI. The instructions do not explicitly tell the agent to read system-wide config, arbitrary host files, or to POST results to unexpected remote endpoints. That said, the README references optional integrations (Jira/GitHub/Chat systems) and an example automated-reporting bash snippe…
安装机制
There is no install specification (instruction-only skill). No packages are pulled or arbitrary URLs downloaded by the skill manifest itself, minimizing installer risk. The risk surface comes from running the included scripts locally.
证书
The skill declares no required environment variables or credentials, but multiple included sample/source files contain hard-coded secrets and connection strings: e.g., stripe_key/paypal_key/square_key in assets/sample_codebase/src/payment_processor.py, API_KEY and DATABASE_URL in assets/sample_codebase/src/user_service.py, and API_KEY in frontend.js. Those secrets are not justified by the skill manifest (the scanner should not need them) and c…
持久
The skill does not request permanent presence (always: false) and is user-invocable. It does not declare modifications to other skills or system-wide settings. Autonomous invocation is allowed (disable-model-invocation: false) which is platform default; this combination is not, by itself, an additional red flag given other issues.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Tech Debt Tracker」。简介:Scan codebases for technical debt, score severity, track trends, and generate p…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/alirezarezvani/tech-debt-tracker/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。